Re: [Declude.Virus] Virus report and log entry question
- Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> > Would it be possible to E-mail one of the quarantined D*.SMD files to our > virustrap@ account? We can then analyze it and should be able to get a > better idea of why this is happening. I sent sample d*.smd virus files and postmaster and log file txt to the virustrap account. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Where do they come from??
Pardon my language... butDAM... Where are all these virus-infected emails coming from?? Are they coming from home computers, servers or what?? You'd think that by now folks would have learned to protect their systems better. Who are the ISPs that are doing such a poor job of virus-protection?? I'm a small ISP and as far as I can tell no one on our system has gotten MyDoom (Thanks to Declude) and we're stopping several hundred per day. ~Joe www.EastARK.com --- [This E-mail scanned for viruses at HNB.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] log file analyzer
Hi, I'm all set, needed to change the log level to mid. Caught 7 my doom in 1 hour..sheesh. Thanks to all for helping. Andy - Original Message - From: Dan Berry To: [EMAIL PROTECTED] Sent: Monday, February 02, 2004 9:24 AM Subject: RE: [Declude.Virus] log file analyzer Set the log level to MID and it works great. Just ran a virus analysis report this morning and prevented over 300 viruses from entering the data environment through e-mail attachments last week. Thank you Declude. You are good. Dan BerrySenior Information System/Telecommunication CoordinatorCity of Raytown, MO.816-737-6070 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of andybSent: Monday, February 02, 2004 8:01 AMTo: [EMAIL PROTECTED]Subject: Re: [Declude.Virus] log file analyzer I didn't notice it the readme.txt. I did read ALL of the setup info on the web page... - Original Message - From: Darin Cox To: [EMAIL PROTECTED] Sent: Sunday, February 01, 2004 8:46 PM Subject: Re: [Declude.Virus] log file analyzer Hi Andy, Not sure if you got a reply...but you need to set Declude Virus LogLevel to MID. It's in the Readme.txt. I did the same thing...ran the utility before looking at the doc... Darin. - Original Message - From: andyb To: [EMAIL PROTECTED] Sent: Friday, January 30, 2004 11:13 PM Subject: Fw: [Declude.Virus] log file analyzer Hi everyone, Scott, anybody, does the log file analyzer work? Am I chasing my tail here? Is there a log file analyzer out there that IS working? If so can someone point the way? I've looked in the archives and haven't found anything. This the 3rd post, and haven't even gotten a grunt from anyone yet Thanks, Andy - Original Message - From: andyb To: [EMAIL PROTECTED] Sent: Friday, January 30, 2004 5:12 PM Subject: [Declude.Virus] log file analyzer HI, The log file analyzer 3.0 is counting the carriage return vulnerablity, but not the virus. There are hundreds of virus in log files. It also appears that the .txt file is properly formed (no garbage, it is just saying there are - 0 - virus found) I'm using declude 1.77. I've tried installing the analyzer on 4 different computers, 3 different operating systems so it appears that there may be an issue with the log files, not with the analyzer. There is nothing about this in the archives that I could find. What does the log analyzer need to have in the logs to count the virus? Guidance please. thanks, Andy Thumpernet
Re: [Declude.Virus] Virus report and log entry question
Attached are 5 recent samples. Let me know if you need more. Thanks -- that information is very helpful. It seems that the problem occurs when there are more than 2 MIME segments (perhaps these are coming from bounce messages). Would it be possible to E-mail one of the quarantined D*.SMD files to our virustrap@ account? We can then analyze it and should be able to get a better idea of why this is happening. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus report and log entry question
- Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> > > > 02/01/2004 09:32:06 Q3816855d009e4e46 Scanner 2: Virus= > > > [ WORM_MYDOOM.A](1) in M:\IMail\spool\D38168~1.VIR\1.zip,(body.txt > > > > > > is that appearing all on one line, or on two separate lines in the log > > file? > > > >All on one line. > > This is strange -- Declude Virus should be using the file name that it > reports in the log file. > > Do you have sample log file entries for an E-mail with a virus that was > caught, where "Unknown File" was not used? Attached are 5 recent samples. Let me know if you need more. Bill Declude Antivirus v1.77i26 caught the W32/[EMAIL PROTECTED] virus in sfehy.zip from [Forged] to: [Removed] Date: 02/02/2004 14:40:20 Subject:Mail Transaction Failed Spool File: Dd1ce048100aec351.SMD Remote IP: 204.189.38.3 02/02/2004 14:40:19 Qd1ce048100aec351 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=sfehy.zip [13] O 02/02/2004 14:40:20 Qd1ce048100aec351 Scanner 2: Virus= [ WORM_MYDOOM.A](1) in M:\IMail\spool\DD1CE0~1.VIR\0.zip,(sfehy.pif) Attachment=sfehy.zip [13] O 02/02/2004 14:40:20 Qd1ce048100aec351 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 1] 02/02/2004 14:40:20 Qd1ce048100aec351 Scanned: CONTAINS A VIRUS [MIME: 2 22794] 02/02/2004 14:40:20 Qd1ce048100aec351 From: [Forged] To: [Removed] [outgoing from 204.189.38.3] 02/02/2004 14:40:20 Qd1ce048100aec351 Subject: Mail Transaction Failed --- Declude Antivirus v1.77i26 caught the W32/[EMAIL PROTECTED] virus in text.zip from [Forged] to: [Removed] Date: 02/02/2004 14:40:36 Subject: Spool File: Dd1df049000ae0645.SMD Remote IP: 204.189.38.4 02/02/2004 14:40:35 Qd1df049000ae0645 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=text.zip [13] O 02/02/2004 14:40:36 Qd1df049000ae0645 Scanner 2: Virus= [ WORM_MYDOOM.A](1) in M:\IMail\spool\DD1DF0~1.VIR\0.zip,(text.exe) Attachment=text.zip [13] O 02/02/2004 14:40:36 Qd1df049000ae0645 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 1] 02/02/2004 14:40:36 Qd1df049000ae0645 Scanned: CONTAINS A VIRUS [MIME: 2 22873] 02/02/2004 14:40:36 Qd1df049000ae0645 From: [Forged] To: [Removed] [outgoing from 204.189.38.4] 02/02/2004 14:40:36 Qd1df049000ae0645 Subject: --- Declude Antivirus v1.77i26 caught the W32/[EMAIL PROTECTED] virus in doc.zip from [Forged] to: [Removed] Date: 02/02/2004 14:40:52 Subject:hello Spool File: Dd1e8049500ae28e1.SMD Remote IP: 204.189.38.3 02/02/2004 14:40:51 Qd1e8049500ae28e1 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=doc.zip [13] O 02/02/2004 14:40:52 Qd1e8049500ae28e1 Scanner 2: Virus= [ WORM_MYDOOM.A](1) in M:\IMail\spool\DD1E80~1.VIR\0.zip,(doc.pif) Attachment=doc.zip [13] O 02/02/2004 14:40:52 Qd1e8049500ae28e1 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 1] 02/02/2004 14:40:52 Qd1e8049500ae28e1 Scanned: CONTAINS A VIRUS [MIME: 2 22871] 02/02/2004 14:40:52 Qd1e8049500ae28e1 From: [Forged] To: [Removed] [outgoing from 204.189.38.3] 02/02/2004 14:40:52 Qd1e8049500ae28e1 Subject: hello --- Declude Antivirus v1.77i26 caught the W32/[EMAIL PROTECTED] virus in readme.zip from [Forged] to: [Removed] Date: 02/02/2004 14:41:10 Subject:Hi Spool File: Dd1e50bb100a21fe8.SMD Remote IP: 204.189.38.3 02/02/2004 14:41:09 Qd1e50bb100a21fe8 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=readme.zip [13] O 02/02/2004 14:41:10 Qd1e50bb100a21fe8 Scanner 2: Virus= [ WORM_MYDOOM.A](1) in M:\IMail\spool\DD1E50~1.VIR\0.zip,(readme.cmd) Attachment=readme.zip [13] O 02/02/2004 14:41:10 Qd1e50bb100a21fe8 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 1] 02/02/2004 14:41:10 Qd1e50bb100a21fe8 Scanned: CONTAINS A VIRUS [MIME: 2 22877] 02/02/2004 14:41:10 Qd1e50bb100a21fe8 From: [Forged] To: [Removed] [outgoing from 204.189.38.3] 02/02/2004 14:41:10 Qd1e50bb100a21fe8 Subject: Hi --- Declude Antivirus v1.77i26 caught the W32/[EMAIL PROTECTED] virus in message.pif from [Forged] to: [Removed] Date: 02/02/2004 14:41:25 Subject:Error Spool File: Dd1cd0bac00a2c218.SMD Remote IP: 204.189.38.3 02/02/2004 14:41:24 Qd1cd0bac00a2c218 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=message.pif [13] O 02/02/2004 14:41:25 Qd1cd0bac00a2c218 Scanner 2: Virus= [ WORM_MYDOOM.A](1) in M:\IMail\spool\DD1CD0~1.VIR\0.pif Attachment=message.pif [13] O 02/02/2004 14:41:25 Qd1cd0bac00a2c218 Found a bogus .pif file 02/02/2004 14:41:25 Qd1cd0bac00a2c218 File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 1] 02/02/2004 14:41:25 Qd1cd0bac00a2c218 Scanned: CONTAINS A VIRUS [MIME: 2 22777] 02/02/2004 14:41:25 Qd1cd0bac00a2c218 From: [Forged] To: [Removed] [outgoing from 204.189.38.3] 02/02/2004 14:41:25 Qd1cd0bac00a2c218 Subject: Error
Re: [Declude.Virus] Virus report and log entry question
> 02/01/2004 09:32:06 Q3816855d009e4e46 Scanner 2: Virus= > [ WORM_MYDOOM.A](1) in M:\IMail\spool\D38168~1.VIR\1.zip,(body.txt > > is that appearing all on one line, or on two separate lines in the log file? All on one line. This is strange -- Declude Virus should be using the file name that it reports in the log file. Do you have sample log file entries for an E-mail with a virus that was caught, where "Unknown File" was not used? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Backdoor.Coreflood Virus new variant?
Paul, I think this was out awhile back... http://securityresponse.symantec.com/avcenter/venc/data/backdoor.coreflo od.html Keith -Original Message- From: paul [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 3:16 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Backdoor.Coreflood Virus new variant? I've not seen any info about this virus yet, but have an XP system infected with it. What a mess! It brings the system to a crawl.. Paul > Does anyone know whether the new variant of the Backdoor.Coreflood is > detected with F-Prot? We have the latest version of virus definitions > for F-Prot, but one of our users received this virus and it looks like > it may have come through email. Has anyone ran into the new variant > of this virus? > It looks like it was only started to be detected by Symantec's Virus > definitions in yesterdays update and that is the only reason our user > initially picked it up. Does anyone know if this virus even spreads > via email? > > Jim Matuska Jr. > Computer Tech II > CCNA > Nez Perce Tribe > Information Systems > [EMAIL PROTECTED] > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] > > > --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus report and log entry question
- Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> > > > This is indeed due to an issue with Declude Virus -- it will be fixed in > > > the next interim release. > > > >Scott, I upgraded to Declude v1.77i26 and that took care of the file name > >issue - thanks! However, I am now noticing that about 1 in 10 postmaster > >messages is displaying "virus in Unknown File", even though most times the > >file name is correctly identified in the virus log (see attachment). > > What is the REPORT2 line in your \IMail\Declude\virus.cfg file? # TrendMicro SCANFILE2 C:\Progra~1\Trend\Sprotect\vscantm.bin /NBPM /NM /NB /NC /Q /LR=report.txt VIRUSCODE2 1 REPORT2 Found > In the line: > > 02/01/2004 09:32:06 Q3816855d009e4e46 Scanner 2: Virus= > [ WORM_MYDOOM.A](1) in M:\IMail\spool\D38168~1.VIR\1.zip,(body.txt > > is that appearing all on one line, or on two separate lines in the log file? All on one line. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Virus Getting Through?
ae826f4201022dc0 doesn't appear anywhere in the declude virus log, nor does it appear in the imail spam log. We ARE using some DNSBL's with IMail 8's anti-spam, but that ip address isn't in any of them and there were no imail spam headers inserted into the message. However, I think you hit it with the SMTP service being restarted. While I didn't restart it, I found this in the event log: The IMail SMTP Server service terminated unexpectedly. It has done this 8 time(s). The following corrective action will be taken in 0 milliseconds: No action. It would then appear that IMail monitor service then restarted the SMTP service -- and it would appear that someone took my pager out of the notification list so I wasn't notified. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry > Sent: Monday, February 02, 2004 11:10 AM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.Virus] Virus Getting Through? > > > > >This morning Norton caught a copy of MyDoom in my inbox. At > first I assumed > >it was just one of the damaged variants, but I decided to > track it down and > >make sure. > > > >Following is a log snippet from when the message came in. > > > >20040201 205725 127.0.0.1 SMTPD (2CA400EE) [64.186.56.58] > >d:\IMail\spool\Dae852ca400ee3baa.SMD 32192 > >20040201 205726 127.0.0.1 SMTPD (6F420102) [4.5.245.119] > >d:\IMail\spool\Dae826f4201022dc0.SMD 32178 > >20040201 205726 127.0.0.1 SMTPD (6F420102) performing > antispam checks > > Does "ae826f4201022dc0" appear anywhere in the Declude Virus log > file? Have you checked the IMail anti-spam logs to see if it > did anything > with the E-mail? Do you know if you stopped/restarted the IMail SMTP > service around that time? Are you using the DNSBLs in IMail > v8's anti-spam? > > >BTW, Comparison of the logs shows that other messages from > the same IP > >address were scanned and caught, so this one doesn't look > like it is a > >"damaged variant" issue. > > Given the similarity in file sizes between the one that was > caught and the > one that was not, I would tend to agree with you here. > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail > mailservers. > Declude Virus: Catches known viruses and is the leader in mailserver > vulnerability detection. > Find out what you've been missing: Ask about our free 30-day > evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus report and log entry question
> This is indeed due to an issue with Declude Virus -- it will be fixed in > the next interim release. Scott, I upgraded to Declude v1.77i26 and that took care of the file name issue - thanks! However, I am now noticing that about 1 in 10 postmaster messages is displaying "virus in Unknown File", even though most times the file name is correctly identified in the virus log (see attachment). What is the REPORT2 line in your \IMail\Declude\virus.cfg file? In the line: 02/01/2004 09:32:06 Q3816855d009e4e46 Scanner 2: Virus= [ WORM_MYDOOM.A](1) in M:\IMail\spool\D38168~1.VIR\1.zip,(body.txt is that appearing all on one line, or on two separate lines in the log file? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Virus Getting Through?
However, I think you hit it with the SMTP service being restarted. While I didn't restart it, I found this in the event log: The IMail SMTP Server service terminated unexpectedly. It has done this 8 time(s). The following corrective action will be taken in 0 milliseconds: No action. There is a known issue with IMail v8 that can prevent Declude from being called if this happens. Ipswitch is working on it, and hopefully the next update of IMail will fix it. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Virus Getting Through?
This morning Norton caught a copy of MyDoom in my inbox. At first I assumed it was just one of the damaged variants, but I decided to track it down and make sure. Following is a log snippet from when the message came in. 20040201 205725 127.0.0.1 SMTPD (2CA400EE) [64.186.56.58] d:\IMail\spool\Dae852ca400ee3baa.SMD 32192 20040201 205726 127.0.0.1 SMTPD (6F420102) [4.5.245.119] d:\IMail\spool\Dae826f4201022dc0.SMD 32178 20040201 205726 127.0.0.1 SMTPD (6F420102) performing antispam checks Does "ae826f4201022dc0" appear anywhere in the Declude Virus log file? Have you checked the IMail anti-spam logs to see if it did anything with the E-mail? Do you know if you stopped/restarted the IMail SMTP service around that time? Are you using the DNSBLs in IMail v8's anti-spam? BTW, Comparison of the logs shows that other messages from the same IP address were scanned and caught, so this one doesn't look like it is a "damaged variant" issue. Given the similarity in file sizes between the one that was caught and the one that was not, I would tend to agree with you here. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Virus Getting Through?
I'm running IMail 8.05 and Declude 1.76i20 This morning Norton caught a copy of MyDoom in my inbox. At first I assumed it was just one of the damaged variants, but I decided to track it down and make sure. Following is a log snippet from when the message came in. 20040201 205721 127.0.0.1 SMTPD (6F420102) [198.77.222.101] connect 4.5.245.119 port 1178 20040201 205721 127.0.0.1 SMTPD (6F420102) [4.5.245.119] EHLO edgertonstravel.com 20040201 205721 127.0.0.1 SMTPD (A4840146) [80.53.129.115] HELO yx115.internetdsl.tpnet.pl 20040201 205722 127.0.0.1 SMTPD (6F420102) [4.5.245.119] MAIL FROM:<[EMAIL PROTECTED]> 20040201 205722 127.0.0.1 SMTPD (6F420102) [4.5.245.119] RCPT TO:<[EMAIL PROTECTED]> 20040201 205725 127.0.0.1 SMTPD (A4840146) [80.53.129.115] MAIL FROM: <[EMAIL PROTECTED]> 20040201 205725 127.0.0.1 SMTPD (2CA400EE) [198.77.222.54] connect 64.186.56.58 port 48837 20040201 205725 127.0.0.1 SMTPD (2CA400EE) [64.186.56.58] EHLO bkupmail.tspec.net 20040201 205725 127.0.0.1 SMTPD (2CA400EE) [64.186.56.58] MAIL From:<[EMAIL PROTECTED]> 20040201 205725 127.0.0.1 SMTPD (2CA400EE) [64.186.56.58] RCPT To:<[EMAIL PROTECTED]> 20040201 205725 127.0.0.1 SMTPD (2CA400EE) [64.186.56.58] d:\IMail\spool\Dae852ca400ee3baa.SMD 32192 20040201 205725 127.0.0.1 SMTPD (2CA400EE) performing antispam checks 20040201 205726 127.0.0.1 SMTPD (6F420102) [4.5.245.119] d:\IMail\spool\Dae826f4201022dc0.SMD 32178 20040201 205726 127.0.0.1 SMTPD (6F420102) performing antispam checks Both of the incoming message are actually infected, but when we look in the virus log: 02/01/2004 20:56:30 Qae4b6f4101025959 Scanned: Virus Free [MIME: 1 3939] 02/01/2004 20:56:31 Qae4da47d01466157 Scanned: Virus Free [MIME: 2 2743] 02/01/2004 20:56:33 Qae516aed013a6f90 Scanned: Virus Free [MIME: 1 1866] 02/01/2004 20:57:08 Qae74a4800146f877 Scanned: Virus Free [MIME: 1 4498] 02/01/2004 20:57:12 Qae676af0013ac34e Scanned: Virus Free [MIME: 1 29053] 02/01/2004 20:57:26 Qae852ca400ee3baa File(s) are INFECTED [ W32/[EMAIL PROTECTED]: 3] 02/01/2004 20:57:26 Qae852ca400ee3baa Scanned: CONTAINS A VIRUS [MIME: 2 22887] 02/01/2004 20:57:26 Q6d63d8e0b0c Scanned: Virus Free [MIME: 1 1036] 02/01/2004 20:57:30 Q6d64d3e0a8c Scanned: Virus Free [MIME: 1 244] 02/01/2004 20:59:01 Q6d7b20e0988 Scanned: Virus Free [MIME: 1 506] 02/01/2004 20:59:15 Qaef29dca0116e226 Scanned: Virus Free [MIME: 1 4783] You'll see that only one of the two messages was even scanned. Obviously Declude can't catch it if imail isn't passing the message to it. Is this a known issue? BTW, Comparison of the logs shows that other messages from the same IP address were scanned and caught, so this one doesn't look like it is a "damaged variant" issue. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] log file analyzer
Andy, If you have not gotten this to work yet pelase send me a copy of the log file off list at [EMAIL PROTECTED] so we can see what might be happening. Also what version of declude are you using. Stu At 09:04 AM 01/31/2004 -0500, you wrote: >I tried 2.2, did the same thing. > >thanks, andy > >- Original Message - >From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Saturday, January 31, 2004 2:07 AM >Subject: RE: [Declude.Virus] log file analyzer > > >As far as the error message, you need to comment out or delete a part of the >setup config file, I forget what it is called. I think it is the second >section. The one that talks about some vb dll and such. > >I am using version 1.2 and 2.2 fine. Try using 2.2. > >John Tolmachoff >Engineer/Consultant/Owner >eServices For You > > >> -Original Message- >> From: [EMAIL PROTECTED] [mailto:Declude.Virus- >> [EMAIL PROTECTED] On Behalf Of andyb >> Sent: Friday, January 30, 2004 9:16 PM >> To: [EMAIL PROTECTED] >> Subject: Re: [Declude.Virus] log file analyzer >> >> Yes, I did the install in that order. >> >> I got an error with on the NT boxes on the install, but on a Win 2000 >> server >> and on the Win98 box, the install went fine. >> >> The analyzer appears to be working, it just isn't counting the virus, only >> the CR vulnerability. >> >> thanks, andy >> - Original Message - >> From: "Fritz Squib" <[EMAIL PROTECTED]> >> To: <[EMAIL PROTECTED]> >> Sent: Friday, January 30, 2004 11:46 PM >> Subject: RE: [Declude.Virus] log file analyzer >> >> >> Andy, >> I,m using http://www.csonline.net/imailstuff/viruslog.htm v 3.0.0 beta on >> Declude v1.77i12 Pro and it's working fine. >> >> Only 1 scanner, f-prot. >> >> You DID run the installer from v222 first THEN replace the 222 executable >> with the 3.0.0, right? >> >> Fritz >> >> Frederick P. Squib, Jr. >> Network Operations/Mail Administrator >> Citizens Telephone Company of Kecksburg >> http://www.wpa.net >> >> () ascii ribbon campaign - against html mail >> /\- against microsoft attachments >> >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of andyb >> Sent: Friday, January 30, 2004 11:13 PM >> To: [EMAIL PROTECTED] >> Subject: Fw: [Declude.Virus] log file analyzer >> >> >> Hi everyone, >> >> Scott, anybody, does the log file analyzer work? Am I chasing my tail >> here? >> Is there a log file analyzer out there that IS working? If so can someone >> point the way? I've looked in the archives and haven't found anything. >> >> This the 3rd post, and haven't even gotten a grunt from anyone yet >> >> Thanks, Andy >> >> - Original Message - >> From: andyb >> To: [EMAIL PROTECTED] >> Sent: Friday, January 30, 2004 5:12 PM >> Subject: [Declude.Virus] log file analyzer >> >> >> HI, >> >> The log file analyzer 3.0 is counting the carriage return vulnerablity, >> but >> not the virus. There are hundreds of virus in log files. It also appears >> that the .txt file is properly formed (no garbage, it is just saying there >> are - 0 - virus found) >> >> I'm using declude 1.77. >> >> I've tried installing the analyzer on 4 different computers, 3 different >> operating systems so it appears that there may be an issue with the log >> files, not with the analyzer. >> >> There is nothing about this in the archives that I could find. >> >> What does the log analyzer need to have in the logs to count the virus? >> >> Guidance please. >> >> thanks, Andy >> Thumpernet >> >> --- >> [This E-mail scanned by Citizens Internet Services with Declude Virus.] >> >> --- >> [This E-mail was scanned for viruses by Declude Virus >> (http://www.declude.com)] >> >> --- >> This E-mail came from the Declude.Virus mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.Virus".The archives can be found >> at http://www.mail-archive.com. >> >> >> --- >> [This E-mail was scanned for viruses by Declude Virus >> (http://www.declude.com)] >> >> --- >> This E-mail came from the Declude.Virus mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.Virus".The archives can be found >> at http://www.mail-archive.com. > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.Virus mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus".The archives can be found >at http://www.mail-archive.com. > > >--- >[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > >--- >This E-mail came from the Declude.Virus mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus".The archives can be found >at http://www.mail-archive.com. > > ---
RE: [Declude.Virus] log file analyzer
Set the log level to MID and it works great. Just ran a virus analysis report this morning and prevented over 300 viruses from entering the data environment through e-mail attachments last week. Thank you Declude. You are good. Dan BerrySenior Information System/Telecommunication CoordinatorCity of Raytown, MO.816-737-6070 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of andybSent: Monday, February 02, 2004 8:01 AMTo: [EMAIL PROTECTED]Subject: Re: [Declude.Virus] log file analyzer I didn't notice it the readme.txt. I did read ALL of the setup info on the web page... - Original Message - From: Darin Cox To: [EMAIL PROTECTED] Sent: Sunday, February 01, 2004 8:46 PM Subject: Re: [Declude.Virus] log file analyzer Hi Andy, Not sure if you got a reply...but you need to set Declude Virus LogLevel to MID. It's in the Readme.txt. I did the same thing...ran the utility before looking at the doc... Darin. - Original Message - From: andyb To: [EMAIL PROTECTED] Sent: Friday, January 30, 2004 11:13 PM Subject: Fw: [Declude.Virus] log file analyzer Hi everyone, Scott, anybody, does the log file analyzer work? Am I chasing my tail here? Is there a log file analyzer out there that IS working? If so can someone point the way? I've looked in the archives and haven't found anything. This the 3rd post, and haven't even gotten a grunt from anyone yet Thanks, Andy - Original Message - From: andyb To: [EMAIL PROTECTED] Sent: Friday, January 30, 2004 5:12 PM Subject: [Declude.Virus] log file analyzer HI, The log file analyzer 3.0 is counting the carriage return vulnerablity, but not the virus. There are hundreds of virus in log files. It also appears that the .txt file is properly formed (no garbage, it is just saying there are - 0 - virus found) I'm using declude 1.77. I've tried installing the analyzer on 4 different computers, 3 different operating systems so it appears that there may be an issue with the log files, not with the analyzer. There is nothing about this in the archives that I could find. What does the log analyzer need to have in the logs to count the virus? Guidance please. thanks, Andy Thumpernet
Re: [Declude.Virus] log file analyzer
I didn't notice it the readme.txt. I did read ALL of the setup info on the web page... - Original Message - From: Darin Cox To: [EMAIL PROTECTED] Sent: Sunday, February 01, 2004 8:46 PM Subject: Re: [Declude.Virus] log file analyzer Hi Andy, Not sure if you got a reply...but you need to set Declude Virus LogLevel to MID. It's in the Readme.txt. I did the same thing...ran the utility before looking at the doc... Darin. - Original Message - From: andyb To: [EMAIL PROTECTED] Sent: Friday, January 30, 2004 11:13 PM Subject: Fw: [Declude.Virus] log file analyzer Hi everyone, Scott, anybody, does the log file analyzer work? Am I chasing my tail here? Is there a log file analyzer out there that IS working? If so can someone point the way? I've looked in the archives and haven't found anything. This the 3rd post, and haven't even gotten a grunt from anyone yet Thanks, Andy - Original Message - From: andyb To: [EMAIL PROTECTED] Sent: Friday, January 30, 2004 5:12 PM Subject: [Declude.Virus] log file analyzer HI, The log file analyzer 3.0 is counting the carriage return vulnerablity, but not the virus. There are hundreds of virus in log files. It also appears that the .txt file is properly formed (no garbage, it is just saying there are - 0 - virus found) I'm using declude 1.77. I've tried installing the analyzer on 4 different computers, 3 different operating systems so it appears that there may be an issue with the log files, not with the analyzer. There is nothing about this in the archives that I could find. What does the log analyzer need to have in the logs to count the virus? Guidance please. thanks, Andy Thumpernet
RE: [Declude.Virus] BANEXT
> BANEXTdata Does not look to be executable. http://filext.com/detaillist.php?extdetail=data&Submit3=Go%21 > BANEXTlink No such extension found. http://filext.com/detaillist.php?extdetail=link&goButton=Go > BANEXTunk No such extension found. http://filext.com/detaillist.php?extdetail=unk > BANEXTuue Some kind of encoded file, maybe compressed. http://filext.com/detaillist.php?extdetail=uue John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.